header __PDS_PHP_EVAL1 X-PHP-Originating-Script =~ /eval..'d code/i header __PDS_PHP_EVAL2 X-PHP-Originating-Script =~ /runtime-created function/ meta PDS_PHP_EVAL __PDS_PHP_EVAL1 describe PDS_PHP_EVAL PHP header shows eval'd code score PDS_PHP_EVAL 1.5 meta PDS_PHP_RUNTIME_FUNC __PDS_PHP_EVAL2 && !__PDS_PHP_EVAL1 describe PDS_PHP_RUNTIME_FUNC PHP header shows runtime-created function score PDS_PHP_RUNTIME_FUNC 1.5 header __PDS_X_PHP_WPCONTENT X-PHP-Script =~ m;/wp-content/(?:themes|uploads)/[\S]+\.php for;i header __PDS_X_PHP_WPINCLUDES X-PHP-Script =~ m;/wp-includes/(?:css|fonts|js|pomo|Text|theme-compat)/[\S]+\.php for;i header __PDS_X_PHP_WPADMIN X-PHP-Script =~ m;/wp-admin/(?:css|themes|js|images|user|maint)/[\S]+\.php for;i header __PDS_X_PHP_WPJS X-PHP-Script =~ m;/js/[\S]+\.php for;i meta PDS_X_PHP_WP_EXP (__PDS_X_PHP_WPCONTENT || __PDS_X_PHP_WPINCLUDES || __PDS_X_PHP_WPADMIN || __PDS_X_PHP_WPJS) describe PDS_X_PHP_WP_EXP X-PHP-Script shows sent from a Wordpress PHP script where you would not expect one score PDS_X_PHP_WP_EXP 1.5 header __PDS_X_PHP_WELLKNOWN X-PHP-Script =~ m;/\.well-known/; meta PDS_X_PHP_WELLKNOWN __PDS_X_PHP_WELLKNOWN describe PDS_X_PHP_WELLKNOWN X-PHP-Script shows sent from a PHP script in the /.well-known/ dir score PDS_X_PHP_WELLKNOWN 1.0 meta PDS_PHPE_SHORT_URL __PDS_SHORT_URL && (__PDS_PHP_EVAL1 || __PDS_PHP_EVAL2) describe PDS_PHPE_SHORT_URL Short URL that isn't a shortener and sent by PHP exploit score PDS_PHPE_SHORT_URL 2.0 # limit meta PDS_PHPE_URISHORTENER (__PDS_PHP_EVAL1 || __PDS_PHP_EVAL2) && __URL_SHORTENER describe PDS_PHPE_URISHORTENER URI Shortener with PHP eval score PDS_PHPE_URISHORTENER 2.0 # limit meta PDS_PHPEXP_BOT __SENDER_BOT && (__PDS_TONAME_EQ_TOLOCAL + __NAKED_TO >= 1) && (__PDS_PHP_EVAL2 + __PDS_PHP_EVAL1 + PDS_X_PHP_WP_EXP + __PDS_X_PHP_WELLKNOWN >= 1) describe PDS_PHPEXP_BOT PHP exploit bot sender score PDS_PHPEXP_BOT 1.5